Business Continuity Management (6): Preparation against Specific Threats

1. Looks at your organisation in a way that makes the recovery requirements and priorities clear through a business impact analysis (BIA).
2. Assesses the threats to the organisation that need protecting against (incidents that are serious enough to completely stop your organisation from functioning, usually referred to as Business Continuity Incidents) and refines them into a set of common response triggers.
3. Provides a structured approach to developing an appropriate business continuity strategy and preparing and testing business continuity plans (BCP’s) that will help the organisation to respond to a Business Continuity Incident.

Embedding BCM in the Organisation's Culture
(click to see enlarged view).

The list of threats that organisations consider to be Business Continuity incidents needs to be continually reviewed and from time to time a new threat will emerge.  The ‘new’ threat may be a variation of an existing one or one which had never been considered before. The threat may be something which is absolutely specific to your organisation or premises or it maybe something much more widespread in which case it is likely to have attracted media attention and possibly statutory rules or guidelines.

Either way there will be temptation to create a new strategy and write plans to deal with the specific problem, rather than review and if necessary enhance the existing business continuity plans.  However neat and simple it sounds at the time, you are building up a long term problem, that will result in a library of incompatible partial solutions.

The approach we always recommend is to treat these new specific threats in the same way as the established ones. Firstly, break them down into their component response triggers as per the third article in this series. You may need to create a new trigger, as well as reusing existing ones, but the new trigger will be much more specific than the overall threat.  It is quite possible that the new threat can be broken down into existing triggers and that no new strategy or response arrangements are necessary; the updates to the plans can be simple updates to the situations in which a particular trigger response is activated.

A recent example is pandemic avian flu, which following initial media hype is now being treated seriously by most organisations. During a pandemic, many staff are likely to fall sick or will need to look after sick family members.  Schools will shut and children will need to be looked after at home.  Public transport systems will be closed down and private driving will be discouraged. The pandemic may be spread globally and your suppliers, intermediaries and customers will all be affected. Global trade will more or less stop and business survival will not be high on anyone’s priorities but putting the business into complete hibernation is unlikely to be an option your business owners will willingly accept.

On face value it appears completely unlike the other threats most organisations have prepared against, such as fire, flood, bomb damage, public transport system failure and system loss. But it can be broken down to triggers along the lines of:

1. Staff unavailable for work due to sickness (or caring for sick family) or death.
2. Staff cannot get to primary or fallback premises to work, as no transport available.
3. Suppliers and intermediaries cannot carry out their services.

All of these triggers are likely to have been associated with your other
threats, i.e.:

1. can be triggered by most threats that impact a building such as fire or bomb damage.  For pandemic flu many organisations are stress testing their response to this assuming a 50% sickness rate, with staff out for the duration. This is a higher rate than usually assumed for other threats and obviously stretches an organisation’s ability to cover key staff absence through cross training.
2. can be triggered by transport failures or police cordons from bomb threats that affect travel particularly in large commuter cities. Usually these types of disruption last only a limited length of time usually less than 48 hours; Pandemic flu stretches this to two to three weeks.
3. is usually triggered by the failure of a single key supplier, rather than all of them at once.  For the pandemic flu example, organisations are now starting to look at their key supplier’s service continuity arrangements in emergency situations and how they fit in with their own, something that should have always been done but generally was felt rather unnecessary and left as a low priority task.

For all three triggers the business continuity response (the Business Continuity Strategy) needs to be reviewed with the new threat in mind.  If it needs strengthening then the upgraded response will be suitable for all of the threats associated with it and will generally result in a better recovery all round.

The above example, if the recovery strategy is to provide staff with the capability to do their work from home (at least on an emergency basis) as they cannot travel to either their normal premises or to a fallback site, will give the option of home-working in all sorts of emergency circumstances.  It can potentially reduce the need for a fallback site and hence costs. Obviously this is more than just a technical solution and will require a revised set of management controls to run the organisation in a distributed fashion.  However the better implemented, the more flexibility the organisation would have for all sorts of scenarios, both in a disaster and in business as usual.

Once the response to all the triggers has been decided, then the business continuity plans can be updated to reflect the changes and tested in the usual ways.

New threats will never stop appearing. There will always be media hyped sensations that will worry the board and result in panicky requests to plan against them. Often this is the only way of securing new funds for business continuity.